diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-05-27 10:56:24 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-05-29 16:35:01 -0400 |
commit | f85c1fc293523db241c48d815b165067b8a0f471 (patch) | |
tree | 67dea8864ca5233007ec3242311211c3e0dbabf6 /vold.te | |
parent | eb1bbf2632dc20e836f3d340feab548ee496e291 (diff) | |
download | android_external_sepolicy-f85c1fc293523db241c48d815b165067b8a0f471.tar.gz android_external_sepolicy-f85c1fc293523db241c48d815b165067b8a0f471.tar.bz2 android_external_sepolicy-f85c1fc293523db241c48d815b165067b8a0f471.zip |
Allow installd, vold, system_server unlabeled access.
The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/
Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose. vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so. system_server tries to access all /data/data
subdirectories so permit it to do so. installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.
Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'vold.te')
-rw-r--r-- | vold.te | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set; allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; security_access_policy(vold) -allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom }; +allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; -allow vold asec_apk_file:file { r_file_perms setattr relabelfrom }; +allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; +# restorecon files in asec containers created on 4.2 or earlier. +allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; +allow vold unlabeled:file { r_file_perms setattr relabelfrom }; # Handle wake locks (used for device encryption) wakelock_use(vold) |